Need Advice - Virus on the Network

We're running Sonicwall UTM as well as MS Forefront. One of the network shares for users is full read/write..

One machine got compromised and before you knew it, it spread like wildfile.The virus injected a autorun.inf on the mapped drive, changing the attrib. on the folders/files to hidden and then created a .exe with the name of the folders.

MS forefront did not catch the virus in real time..

Amazingly, we ran Norton Power Erase on all machines and it seemed to *clear* all the machines. Post Norton PE, we ran it 2X and it seemed to not find any on any of the machines.

We flip the share back online, and it remains stable *no users logged into the machines*.All hell breaks loose again, the following morning with a user logs in.

Can someone help with me a plan of attack isolating the culprint station and or what steps to clean the network up.I just put the share back online only in READ only mode so people can actually work and get files.

Use a GPO to disable autorun and start searching the public share for autorun.inf and delete ASAP. Change the public share's NTFS permissions from 'Full Control' to 'Modify' for everyone except admins (and make sure your admins aren't infected or you're not stopping anything). Reset the rest of the permissions on the share back to unhide everything and if you're feeling brave turn on auditing for permission change events which should tell you who or what machines are infected.

I've seen this one before, sounds like the VBNA-X worm. Like lurch959 said, turn off autorun via GPO. If you do find autorun.inf on the share, find out who the owner of the file is or who is accessing that file via Comp Management - Shared Folders - Open Files/Sessions from the File Server. Most likely that will be the source machine of the virus. Make sure they have some type of client side protection as well. You can flip the hidden status back to normal using the attrib command from the links below.